cannot access protected variables when using `only: merge_requests` parameter

Summary

When using the only: merge_requests parameter protected variables can not be accessed in that job.

This happens on gitlab.com as well as our on-premise EE installation.

Steps to reproduce

Add a protected variable to a project and create a job like so:

job-name:
  only: merge_requests
  script:
    - echo $protected_variable_name

The protected variable won't be shown.

Example Project

• project
• Merge Request
• Pipeline

What is the current bug behavior?

The content of the protected variable is not showing.

What is the expected correct behavior?

The content of the protected variable.

Relevant logs and/or screenshots

Output from relevant job in pipeline mentioned above:

Running with gitlab-runner 11.9.0-rc2 (227934c0)
  on docker-auto-scale 72989761
Using Docker executor with image ruby:2.5 ...
Pulling docker image ruby:2.5 ...
Using docker image sha256:e86557c9a8ab97ec7e9ba705f3e3411428b50d19d38643a0f52cb49faf735d3d for ruby:2.5 ...
Running on runner-72989761-project-11784608-concurrent-0 via runner-72989761-srm-1554910101-8f68ac00...
Initialized empty Git repository in /builds/tobias.hartmann78/variable-test/.git/
Fetching changes...
Created fresh repository.
From https://gitlab.com/tobias.hartmann78/variable-test
 * [new branch]      master     -> origin/master
 * [new branch]      test_variable_visibility -> origin/test_variable_visibility
Checking out 9352f4f1 as test_variable_visibility...

Skipping Git submodules setup
$ echo $open
open...
$ echo $protected

Job succeeded

Output of checks

This bug happens on GitLab.com

Possible fixes

tbd